Merge pull request #49 from vvangestel/feature/static-config

vvangestel · web-flow · commit ab822ebcc266 · 2025-07-17T09:22:37.000+02:00
Read config from local json files to not be dependant on S3 rate limits during an attack
diff --git a/doc/readme.md b/doc/readme.md
@@ -208,7 +208,7 @@ since it only contains non-secret information:
  * The expiration time of the access
 
  * The username of the person that generated the token
- 
+
  * A free-text field describing the granted access
 
 Since the party issuing tokens, and the party verifying tokens are the same, we
@@ -231,13 +231,7 @@ Cache-key][CF-cache-cookie].
 
 Normally, you can configure a generic Lambda function via Environment Variables.
 Lambda@Edge is tricky in this regard, since it does not support Environment
-Variables. We worked around this issue by abusing the Tags.
-
-The configuration itself is stored in an S3 bucket as JSON files. The name of
-this S3 bucket is passed as a regular environment variable to the Python Lambda
-functions, but as a Tag to the Lambda@Edge function. The Lambda@Edge function
-performs a `lambda:GetFunction` on itself (it can find out its own name from the
-`context` object at runtime) to read its own Tags.
+Variables. In order protect this critical internet-facing infrastructure, we limit dependencies to other services. Config is stored locally and can be updated based on environment (account id) with specific config files. It is critical to keep this configuration in sync with reality.
 
 
 Code
diff --git a/templates/validator.py b/templates/validator.py
@@ -1,10 +1,9 @@
 """
 Validator stack.
 """
-from troposphere import Template, constants, Parameter, awslambda, Ref, Output, GetAtt
+from troposphere import Template, constants, Parameter, awslambda, Ref, Output
 
 import custom_resources.awslambda
-import custom_resources.cloudformation
 import cfnutils.output
 
 
@@ -36,31 +35,15 @@
 ))
 template.set_parameter_label(param_s3_key, "Lambda S3 key")
 
-param_config_bucket = template.add_parameter(Parameter(
-    "ConfigBucket",
-    Default="",
-    Type=constants.STRING,
-    Description="Name of the configuration bucket",
-))
-template.set_parameter_label(param_config_bucket, "Lambda Config S3 bucket")
-
-cloudformation_tags = template.add_resource(custom_resources.cloudformation.Tags(
-    "CfnTags",
-    Set={
-        'ConfigBucket': Ref(param_config_bucket),
-    },
-))
-
 validator_lambda = template.add_resource(awslambda.Function(
     "ValidatorLambda",
     Code=awslambda.Code(
         S3Bucket=Ref(param_s3_bucket_name),
         S3Key=Ref(param_s3_key),
     ),
-    Runtime='nodejs14.x',
+    Runtime='nodejs22.x',
     Handler='index.handler',
     Role=Ref(param_role),
-    Tags=GetAtt(cloudformation_tags, 'TagList'),
 ))
 
 validator_version = template.add_resource(custom_resources.awslambda.Version(
diff --git a/λ@E/config.json b/λ@E/config.json
@@ -0,0 +1,8 @@
+{
+    "parameter_store_region": "eu-west-1",
+    "parameter_store_parameter_name": "/authorizer/jwt-secret",
+    "set_cookie_path": "/auth-89CE3FEF-FCF6-43B3-9DBA-7C410CAAE220/set-cookie",
+    "cookie_name_access_token": "authorizer_access",
+    "cookie_name_no_redirect": "authorizer_no_redirect",
+    "authorize_url": "https://authorizer.example.org/authorize"
+}
diff --git a/λ@E/index.js b/λ@E/index.js
@@ -12,77 +12,20 @@
 "use strict";
 
 const JWT = require('jsonwebtoken');
-const AWS = require('aws-sdk');
+const { SSMClient, GetParameterCommand } = require('@aws-sdk/client-ssm');const fs = require('fs')
 const querystring = require('querystring');
 const url = require('url');
 
 
-function asyncLambdaGetFunction(param, service_param = {}) {
-    // Async wrapper around the Lambda GetFunction API call
-    return new Promise(function(resolve, reject) {
-        const lambda = new AWS.Lambda(service_param);
-        lambda.getFunction(param, function(err, data) {
-            if(err !== null) { reject(err); }
-            else { resolve(data); }
-        });
-    });
-}
-
-function asyncS3GetObject(param) {
-    // Async wrapper around the S3 GetObject API call
-    return new Promise(function(resolve, reject) {
-        const s3 = new AWS.S3();
-        s3.getObject(param, function(err, data) {
-            if(err !== null) { reject(err); }
-            else { resolve(data); }
-        });
-    });
-}
-
-async function get_config_bucket(context) {
-    /* Lambda@Edge does not support environment parameters.
-     * We use Tags as workaround. This function gets the value of the tag.
-     */
-    const dot_location = context.functionName.indexOf('.');
-    const functionName_without_region = context.functionName.substring(dot_location + 1);
-    const lambda_description = await asyncLambdaGetFunction({
-            'FunctionName': functionName_without_region,
-        }, {
-            region: 'us-east-1',  // Lambda@Edge is always us-east-1
-        }
-    );
-    return lambda_description.Tags['ConfigBucket'];
-}
 async function get_config_(context) {
-    let config = {  // Default settings, keep in sync with Lambda-code!
-        'function_arn': context['invokedFunctionArn'],
-
-        'parameter_store_region': 'eu-west-1',
-        'parameter_store_parameter_name': '/authorizer/jwt-secret',
-
-        'set_cookie_path': '/auth-89CE3FEF-FCF6-43B3-9DBA-7C410CAAE220/set-cookie',
-        'cookie_name_access_token': 'authorizer_access',
-        'cookie_name_no_redirect': 'authorizer_no_redirect',
-
-        'authorize_url': 'https://authorizer.example.org/authorize',
+    const accountId = context.invokedFunctionArn.split(':')[4];
+    const accountSpecificConfigPath = `./config-${accountId}.json`;
+    let config = require('./config.json');
+    if(fs.existsSync(accountSpecificConfigPath)) {
+        let accountSpecificConfig = require(accountSpecificConfigPath);
+        config = { ...config, ...accountSpecificConfig};
     };
-    const config_bucket = await get_config_bucket(context);
-    try {
-        const config_response = await asyncS3GetObject({
-            'Bucket': config_bucket,
-            'Key': 'config.json',
-        });
-        const body = config_response.Body.toString('utf-8');
-        console.log("Retrieved config from S3:");
-        console.log(body);
-        const parsed_body = JSON.parse(body);
-        for(let key in parsed_body) {
-            config[key] = parsed_body[key];
-        }
-    } catch(e) {
-        console.log("Could not retrieve config from S3. Using defaults.");
-        console.log(e);
-    }
+    config['function_arn'] = context['invokedFunctionArn'];
     return config;
 }
 function get_config_promise(context) {
@@ -92,22 +35,19 @@ function get_config_promise(context) {
     return get_config_promise.cache
 }
 
-function get_jwt_secret_promise(region, param_name) {
-    if(typeof get_jwt_secret_promise.cache === 'undefined') {
-        get_jwt_secret_promise.cache = new Promise(function(resolve, reject) {
-            const ssm = new AWS.SSM({
-                'region': region,
-            });
-            ssm.getParameter({
-                    'Name': param_name,
-                    'WithDecryption': true,
-                },
-                function(err, data) {
-                    if(err !== null) { reject(err); }
-                    else { resolve(data['Parameter']['Value']); }
-                }
-            );
-        });
+async function getSSMParameter(parameter_name, parameter_region) {
+    const client = new SSMClient({ region: parameter_region });
+    const command = new GetParameterCommand({
+        Name: parameter_name,
+        WithDecryption: true,
+    });
+    const response = await client.send(command);
+    return response.Parameter.Value;
+}
+
+async function get_jwt_secret_promise(region, param_name) {
+    if (typeof get_jwt_secret_promise.cache === 'undefined') {
+        get_jwt_secret_promise.cache = await getSSMParameter(param_name, region)
     }
     return get_jwt_secret_promise.cache;
 }
